Updated CAS-004 Testkings | Latest CAS-004 Exam Tips

Security Architecture 29%

• Load balancer
• Intrusion detection system (IDS)/network intrusion detection system (NIDS)/wireless intrusion detection system (WIDS)
• Intrusion prevention system (IPS)/network intrusion prevention system (NIPS)/wireless intrusion prevention system (WIPS)
• Web application firewall (WAF)
• Network access control (NAC)
• Virtual private network (VPN)
• Domain Name System Security Extensions (DNSSEC)
• Firewall/unified threat management (UTM)/next-generation firewall (NGFW)
• Network address translation (NAT) gateway
• Internet gateway
• Forward/transparent proxy
• Reverse proxy
• Distributed denial-of-service (DDoS) protection
• Routers
• Mail security
• Application programming interface (API) gateway/Extensible Markup Language (XML) gateway
• Traffic mirroring
  -Switched port analyzer (SPAN) ports
  -Port mirroring
  - Virtual private cloud (VPC)
  -Network tap
• Sensors
  -Security information and event management (SIEM)
  -File integrity monitoring (FIM)
  -Simple Network Management Protocol (SNMP) traps
  -NetFlow
  -Data loss prevention (DLP)
  -Antivirus

- Segmentation

• Microsegmentation
• Local area network (LAN)/virtual local area network (VLAN)
• Jump box
• Screened subnet
• Data zones
• Staging environments
• Guest environments
• VPC/virtual network (VNET)
• Availability zone
• NAC lists
• Policies/security groups
• Regions
• Access control lists (ACLs)
• Peer-to-peer
• Air gap

- Deperimeterization/zero trust

• Cloud
• Remote work
• Mobile
• Outsourcing and contracting
• Wireless/radio frequency (RF) networks

- Merging of networks from various organizations

• Peering
• Cloud to on premises
• Data sensitivity levels
• Mergers and acquisitions
• Cross-domain
• Federation
• Directory services

- Software-defined networking (SDN)

• Open SDN
• Hybrid SDN
• SDN overlay

• Vertically
• Horizontally

- Resiliency

• High availability
• Diversity/heterogeneity
• Course of action orchestration
• Distributed allocation
• Redundancy
• Replication
• Clustering

- Automation

• Autoscaling
• Security Orchestration, Automation, and Response (SOAR)
• Bootstrapping

- Performance
- Containerization
- Virtualization
- Content delivery network
- Caching

• Secure design patterns/ types of web technologies
  -Storage design patterns
• Container APIs
• Secure coding standards
• Application vetting processes
• API management
• Middleware

- Software assurance

• Sandboxing/development environment
• Validating third-party libraries
• Defined DevOps pipeline
• Code signing
• Interactive application security testing (IAST) vs. dynamic application security testing (DAST) vs. static application security testing (SAST)

- Considerations of integrating enterprise applications

• Customer relationship management (CRM)
• Enterprise resource planning (ERP)
• Configuration management database (CMDB)
• Content management system (CMS)
• Integration enablers
  -Directory services
  -Domain name system (DNS)
  -Service-oriented architecture (SOA)
  -Enterprise service bus (ESB)

- Integrating security into development life cycle

• Formal methods
• Requirements
• Fielding
• Insertions and upgrades
• Disposal and reuse
• Testing
  -Regression
  -Unit testing
  -Integration testing
• Development approaches
  -SecDevOps
  -Agile
  -Waterfall
  -Spiral
  -Versioning
  -Continuous integration/continuous delivery (CI/CD) pipelines
• Best practices
  -Open Web Application Security Project (OWASP)
  -Proper Hypertext Transfer Protocol (HTTP) headers

• Blocking use of external media
• Print blocking
• Remote Desktop Protocol (RDP) blocking
• Clipboard privacy controls
• Restricted virtual desktop infrastructure (VDI) implementation
• Data classification blocking

- Data loss detection

• Watermarking
• Digital rights management (DRM)
• Network traffic decryption/deep packet inspection
• Network traffic analysis

- Data classification, labeling, and tagging

• Metadata/attributes

- Obfuscation

• Tokenization
• Scrubbing
• Masking

- Anonymization
- Encrypted vs. unencrypted
- Data life cycle

• Create
• Use
• Share
• Store
• Archive
• Destroy

- Data inventory and mapping
- Data integrity management
- Data storage, backup, and recovery

• Redundant array of inexpensive disks (RAID)

• Password repository application
  -End-user password storage
  -On premises vs. cloud repository
• Hardware key manager
• Privileged access management

- Password policies

• Complexity
• Length
• Character classes
• History
• Maximum/minimum age
• Auditing
• Reversable encryption

- Federation

• Transitive trust
• OpenID
• Security Assertion Markup Language (SAML)
• Shibboleth

- Access control

• Mandatory access control (MAC)
• Discretionary access control (DAC)
• Role-based access control
• Rule-based access control
• Attribute-based access control

- Protocols

• Remote Authentication Dial-in User Server (RADIUS)
• Terminal Access Controller Access Control System (TACACS)
• Diameter
• Lightweight Directory Access Protocol (LDAP)
• Kerberos
• OAuth
• 802.1X
• Extensible Authentication Protocol (EAP)

- Multifactor authentication (MFA)

• Two-factor authentication (2FA)
• 2-Step Verification
• In-band
• Out-of-band

- One-time password (OTP)

• HMAC-based one-time password (HOTP)
• Time-based one-time password (TOTP)

- Hardware root of trust- Single sign-on (SSO)- JavaScript Object Notation (JSON) web token (JWT)- Attestation and identity proofing

• Type 1 vs. Type 2 hypervisors
• Containers
• Emulation
• Application virtualization
• VDI

- Provisioning and deprovisioning
- Middleware
- Metadata and tags
- Deployment models and considerations

• Business directives
  -Cost
  -Scalability
  -Resources
  -Location
  -Data protection
• Cloud deployment models
  -Private
  -Public
  -Hybrid
  -Community

- Hosting models

• Multitenant
• Single-tenant

- Service models

• Software as a service (SaaS)
• Platform as a service (PaaS)
• Infrastructure as a service (IaaS)

- Cloud provider limitations

• Internet Protocol (IP) address scheme
• VPC peering

- Extending appropriate on-premises controls
- Storage models

• Object storage/file-based storage
• Database storage
• Block storage
• Blob storage
• Key-value pairs

• Data at rest
• Data in transit
• Data in process/data in use
• Protection of web services
• Embedded systems
• Key escrow/management
• Mobile security
• Secure authentication
• Smart card

- Common PKI use cases

• Web services
• Email
• Code signing
• Federation
• Trust models
• VPN
• Enterprise and security automation/orchestration

• Private information retrieval
• Secure function evaluation
• Private function evaluation

- Secure multiparty computation
- Distributed consensus
- Big Data
- Virtual/augmented reality
- 3-D printing
- Passwordless authentication
- Nano technology
- Deep learning

• Natural language processing
• Deep fakes

-Biometric impersonation

Security Operations 30%

• Tactical
  -Commodity malware
• Strategic
  -Targeted attacks
• Operational
  -Threat hunting
  -Threat emulation

- Actor types

• Advanced persistent threat (APT)/nation-state
• Insider threat
• Competitor
• Hacktivist
• Script kiddie
• Organized crime

- Threat actor properties

• Resource
  -Time
  -Money
• Supply chain access
• Create vulnerabilities
• Capabilities/sophistication
• Identifying techniques

- Intelligence collection methods

• Intelligence feeds
• Deep web
• Proprietary
• Open-source intelligence (OSINT)
• Human intelligence (HUMINT)

- Frameworks

• MITRE Adversarial Tactics, Techniques, & Common knowledge (ATT&CK)
  -ATT&CK for industrial control system (ICS)
• Diamond Model of Intrusion Analysis
• Cyber Kill Chain

• Packet capture (PCAP)
• Logs
  -Network logs
  -Vulnerability logs
  -Operating system logs
  -Access logs
  -NetFlow logs
• Notifications
  -FIM alerts
  -SIEM alerts
  -DLP alerts
  -IDS/IPS alerts
  -Antivirus alerts
• Notification severity/priorities
• Unusual process activity

- Response

• Firewall rules
• IPS/IDS rules
• ACL rules
• Signature rules
• Behavior rules
• DLP rules
• Scripts/regular expressions

• Credentialed vs. non-credentialed
• Agent-based/server-based
• Criticality ranking
• Active vs. passive

- Security Content Automation Protocol (SCAP)

• Extensible Configuration Checklist Description Format (XCCDF)
• Open Vulnerability and Assessment Language (OVAL)
• Common Platform Enumeration (CPE)
• Common Vulnerabilities and Exposures (CVE)
• Common Vulnerability Scoring System (CVSS)
• Common Configuration Enumeration (CCE)
• Asset Reporting Format (ARF)

- Self-assessment vs. third-party vendor assessment
- Patch management
- Information sources

• Advisories
• Bulletins
• Vendor websites
• Information Sharing and Analysis Centers (ISACs)
• News reports

• Static analysis
• Dynamic analysis
• Side-channel analysis
• Reverse engineering
  -Software
  -Hardware
• Wireless vulnerability scan
• Software composition analysis
• Fuzz testing
• ivoting
• Post-exploitation
• Persistence

- Tools

• SCAP scanner
• Network traffic analyzer
• Vulnerability scanner
• Protocol analyzer
• Port scanner
• HTTP interceptor
• Exploit framework
• Password cracker

- Dependency management
- Requirements

• Scope of work
• Rules of engagement
• Invasive vs. non-invasive
• Asset inventory
• Permissions and access
• Corporate policy considerations
• Facility considerations
• Physical security considerations
• Rescan for corrections/changes

• Race conditions
• Overflows
  -Buffer
  -Integer
• Broken authentication
• Unsecure references
• Poor exception handling
• Security misconfiguration
• Improper headers
• Information disclosure
• Certificate errors
• Weak cryptography implementations
• Weak ciphers
• Weak cipher suite implementations
• Software composition analysis
• Use of vulnerable frameworks and software modules
• Use of unsafe functions
• Third-party libraries
  -Dependencies
  -Code injections/malicious changes
  -End of support/end of life
  -Regression issues

- Inherently vulnerable system/application

• Client-side processing vs. server-side processing
• JSON/representational state transfer (REST)
• Browser extensions
  -Flash
  -ActiveX
• Hypertext Markup Language 5 (HTML5)
• Asynchronous JavaScript and XML (AJAX)
• Simple Object Access Protocol (SOAP)
• Machine code vs. bytecode or interpreted vs. emulated

- Attacks

• Directory traversal
• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)
• Injection
  -XML
  -LDAP
  -Structured Query Language (SQL)
  -Command
  -Process
• Sandbox escape
• Virtual machine (VM) hopping
• VM escape
• Border Gateway Protocol (BGP)/route hijacking
• Interception attacks
• Denial-of-service (DoS)/DDoS
• Authentication bypass
• Social engineering
• VLAN hopping

• Hunts
• Developing countermeasures
• Deceptive technologies
  -Honeynet
  -Honeypot
  -Decoy files
  -Simulators
  -Dynamic network configurations

- Security data analytics

• Processing pipelines
  -Data
  -Stream
• Indexing and search
• Log collection and curation
• Database activity monitoring

- Preventive

• Antivirus
• Immutable systems
• Hardening
• Sandbox detonation

- Application control

• License technologies
• Allow list vs. block list
• Time of check vs. time of use
• Atomic execution

- Security automation

• Cron/scheduled tasks
• Bash
• PowerShell
• Python

- Physical security

• Review of lighting
• Review of visitor logs
• Camera reviews
• Open spaces vs. confined spaces

• False positive
• False negative
• True positive
• True negative

- Triage event
- Preescalation tasks
- Incident response process

• Preparation
• Detection
• Analysis
• Containment
• Recovery
• Lessons learned

- Specific response playbooks/processes

• Scenarios
  -Ransomware
  -Data exfiltration
  -Social engineering
• Non-automated response methods
• Automated response methods
  -Runbooks
  -SOAR

- Communication plan
- Stakeholder management

• Identification
• Evidence collection
  -Chain of custody
  -Order of volatility
  1. Memory snapshots
  2. Images
  -Cloning
• Evidence preservation
  -Secure storage
  -Backups
• Analysis
  -Forensics tools
• Verification
• Presentation

- Integrity preservation

• Hashing

- Cryptanalysis

- Steganalysis

• Foremost
• Strings

- Binary analysis tools

• Hex dump
• Binwalk
• Ghidra
• GNU Project debugger (GDB)
• OllyDbg
• readelf
• objdump
• strace
• ldd
• file

- Analysis tools

• ExifTool
• Nmap
• Aircrack-ng
• Volatility
• The Sleuth Kit
• Dynamically vs. statically linked

- Imaging tools

• Forensic Toolkit (FTK) Imager
• dd

- Hashing utilities

• sha256sum
• ssdeep

- Live collection vs. post-mortem tools

• netstat
• ps
• vmstat
• ldd
• lsof
• netcat
• tcpdump
• conntrack
• Wireshark

Security Engineering and Cryptography 26%

• Application control
• Password
• MFA requirements
• Token-based access
• Patch repository
• Firmware Over-the-Air
• Remote wipe
• WiFi
  -WiFi Protected Access (WPA2/3)
  -Device certificates
• Profiles
• Bluetooth
• Near-field communication (NFC)
• Peripherals
• Geofencing
• VPN settings
• Geotagging
• Certificate management
• Full device encryption
• Tethering
• Airplane mode
• Location services
• DNS over HTTPS (DoH)
• Custom DNS

- Deployment scenarios

• Bring your own device (BYOD)
• Corporate-owned
• Corporate owned, personally enabled (COPE)
• Choose your own device (CYOD)

- Security considerations

• Unauthorized remote activation/deactivation of devices or features
• Encrypted and unencrypted communication concerns
• Physical reconnaissance
• Personal data theft
• Health privacy
• Implications of wearable devices
• Digital forensics of collected data
• Unauthorized application stores
• Jailbreaking/rooting
• Side loading
• Containerization
• Original equipment manufacturer (OEM) and carrier differences
• Supply chain issues
• eFuse

• Removing unneeded services
• Disabling unused accounts
• Images/templates
• Remove end-of-life devices
• Remove end-of-support devices
• Local drive encryption
• Enable no execute (NX)/execute never (XN) bit
• Disabling central processing unit (CPU) virtualization support
• Secure encrypted enclaves/memory encryption
• Shell restrictions
• Address space layout randomization (ASLR)

- Processes

• Patching
• Firmware
• Application
• Logging
• Monitoring

- Mandatory access control

• Security-Enhanced Linux (SELinux)/Security-Enhanced Android (SEAndroid)
• Kernel vs. middleware

- Trustworthy computing

• Trusted Platform Module (TPM)
• Secure Boot
• Unified Extensible Firmware Interface (UEFI)/basic input/output system (BIOS) protection
• Attestation services
• Hardware security module (HSM)
• Measured boot
• Self-encrypting drives (SEDs)

- Compensating controls

• Antivirus
• Application controls
• Host-based intrusion detection system (HIDS)/Host-based intrusion prevention system (HIPS)
• Host-based firewall
• Endpoint detection and response (EDR)
• Redundant hardware
• Self-healing hardware
• User and entity behavior analytics (UEBA)

• Internet of Things (IoT)
• System on a chip (SoC)
• Application-specific integrated circuit (ASIC)
• Field-programmable gate array (FPGA)

- ICS/supervisory control and data acquisition (SCADA)

• Programmable logic controller (PLC)
• Historian
• Ladder logic
• Safety instrumented system
• Heating, ventilation, and air conditioning (HVAC)

- Protocols

• Controller Area Network (CAN) bus
• Modbus
• Distributed Network Protocol 3 (DNP3)
• Zigbee
• Common Industrial Protocol (CIP)
• Data distribution service

- Sectors

• Energy
• Manufacturing
• Healthcare
• Public utilities
• Public services
• Facility services

• Availability
• Collection
• Monitoring
• Configuration
• Alerting

- Monitoring configurations
- Key ownership and location
- Key life-cycle management
- Backup and recovery methods

• Cloud as business continuity and disaster recovery (BCDR)
• Primary provider BCDR
• Alternative provider BCDR

- Infrastructure vs. serverless computing
- Application virtualization
- Software-defined networking
- Misconfigurations
- Collaboration tools
- Storage configurations

• Bit splitting
• Data dispersion

- Cloud access security broker (CASB)

• Certificate authority (CA)
• Subordinate/intermediate CA
• Registration authority (RA)

- Certificate types

• Wildcard certificate
• Extended validation
• Multidomain
• General purpose

- Certificate usages/profiles/templates

• Client authentication
• Server authentication
• Digital signatures
• Code signing

- Extensions

• Common name (CN)
• Subject alternate name (SAN)

- Trusted providers
- Trust model
- Cross-certification
- Configure profiles
- Life-cycle management
- Public and private keys
- Digital signature
- Certificate pinning
- Certificate stapling
- Certificate signing requests (CSRs)
- Online Certificate Status Protocol (OCSP) vs. certificate revocation list (CRL)
- HTTP Strict Transport Security (HSTS)